diff options
author | David Kalnischkies <david@kalnischkies.de> | 2019-01-23 20:50:29 +0100 |
---|---|---|
committer | David Kalnischkies <david@kalnischkies.de> | 2019-01-23 22:48:16 +0100 |
commit | e2965b0b6bdd68ffcad0e06d11755412a7e16e50 (patch) | |
tree | 24bac675db43d9e013f2e9481ca4599a350e3f34 /apt-pkg/tagfile.cc | |
parent | 3734cceb44b02ca4d5ee3c6f5cbfe1e12f17cffb (diff) |
Fail on non-signature lines in Release.gpg
The exploit for CVE-2019-3462 uses the fact that a Release.gpg file can
contain additional content beside the expected detached signature(s).
We were passing the file unchecked to gpgv which ignores these extras
without complains, so we reuse the same line-reading implementation we
use for InRelease splitting to detect if a Release.gpg file contains
unexpected data and fail in this case given that we in the previous
commit we established that we fail in the similar InRelease case now.
Diffstat (limited to 'apt-pkg/tagfile.cc')
0 files changed, 0 insertions, 0 deletions